?
Solved

Tables disappeared in mysql. How to diagnose ?

Posted on 2006-06-09
5
Medium Priority
?
227 Views
Last Modified: 2010-04-22
In the mysql database, a number of tables disappeared. My email records show that at 6.29AM (PST) today, a transaction that involved several of the missing tables was conducted succesfully. I discovered the problem around 11AM (PST). The problem occured in that interval of time. In the interval, I did not access the server myself, so I suspect malicious action. Are there log files that I can use to I find out who connected to the database, and what they did ?

Thanks,

Tuan.
0
Comment
Question by:qtluong
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 15

Accepted Solution

by:
DonConsolio earned 672 total points
ID: 16875165
If you started your mysql server with the "bianry log" option (--log-bin=file) you
can use the "mysqlbinlog" command.
0
 
LVL 22

Assisted Solution

by:pjedmond
pjedmond earned 664 total points
ID: 16973999
You may find something in the /var/log/mysql files *if* the database was stopped or started, but beyond that, if you haven't got logging available on the server, you won't see much.

You might want to have a quick look at:

/var/log/messages

as this may show who has logged onto the system (not whether they did anything in mysql)....but you can then have a quick look at what type of things that people who logged in during the time window have been doing by looking at their .bash_history. Of course this assumes that the individual logged in rather than connecting from a remote location to the mysql socket.

Unfortunately, there is probably little else you can do, *unless* any of your routers/firewalls etc have som form of log available.

(   (()
(`-' _\
 ''  ''
 
0
 
LVL 2

Assisted Solution

by:arpoodle
arpoodle earned 664 total points
ID: 17081843

The binlogs (if present) will show when the commands were executed, but only contain the net-result of any insert/update/delete/drop/create as required for replication, and won't tell you who did it.

If the 'user' connected locally, then you may have some luck looking in the .mysql_history files in the various shell account home directories.

Assuming your mysql users are locked down, you should know which database users have permissions to perform such an action, so look for those usernames in the shell account command histories too as a "mysql -u<user> -p" command.

combining the two histories will give you a good idea who did it, but as said, if the connection came from outside the server, then you will need to interrogate firewall or other access logs.

a
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Fine Tune your automatic Updates for Ubuntu / Debian
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses
Course of the Month12 days, 17 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question